--- title: Setting up Kong Gateway description: Download, install, and configure the ping-auth plugin to set up Kong Gateway with PingAuthorize. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_integrations:paz_kong_gateway_setup canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_integrations/paz_kong_gateway_setup.html revdate: March 26, 2025 section_ids: steps: Steps result: Result --- # Setting up Kong Gateway Download, install, and configure the `ping-auth` plugin to set up Kong Gateway with PingAuthorize. ## Steps 1. Install the plugin by running the `luarocks install kong-plugin-ping-auth` command. Learn more in the [Kong Gateway plugin installation guide](https://docs.konghq.com/gateway/latest/plugin-development/distribution/). 2. After installation, load the plugin into Kong by editing the `plugins = bundled,ping-auth` property in the `kong.conf` file. 3. Restart Kong Gateway. 4. To confirm the plugin loads successfully, look for the debug-level `Loading plugin: ping-auth` message in Kong's `error.log` file. 5. Use the Kong Gateway UI or API to complete the configuration. * Kong Gateway UI * Kong Gateway API 1. In Kong Manager, select the **default** workspace, and then click **Plugins**. ![Screen capture of the Plugins window in the default workspace of Kong Manager with the ping-auth plugin loaded](_images/xow1658432018704.png) 2. Next to the **ping-auth** plugin, click **Edit**, and then click the toggle to enable the plugin. ![Screen capture of the Update ping-auth plugin window enabling the ping-auth plugin in Kong Manager](_images/she1658433603588.png) 3. (Optional) To enable the plugin for specific consumers, services, or routes, click **Scoped**, and then enter **Service**, **Route**, and **Consumer** information as needed. 4. Connect Kong Gateway to PingAuthorize. 1. Make sure the **Config.Secret Header Name** value in Kong Manager matches the secret header name configured for the [Sideband API Servlet Extension](../pingauthorize_server_administration_guide/paz_sideband_api_config.html) in PingAuthorize. ![Screen capture of the Config.Shared Secret and Config.Service Url configuration for the ping-auth plugin in Kong Manger](_images/lwg1658437330617.png) 2. In the **Config.Service URL** field in Kong Manager, enter the hostname of your PingAuthorize Server instance and the port of the HTTPS Connection Handler. For example, `https://pingauthorize:8443`. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | | To find the HTTPS Connection Handler port number in the PingAuthorize administrative console, go to **Configuration > System > Connection Handlers**. | 3. In the **Config.Shared Secret** field, enter the sideband client's shared secret you created in [Preparing PingAuthorize for Kong Gateway integration](paz_kong_prepare_paz.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The shared secret authenticates the `ping-auth` plugin to PingAuthorize. Version 1.2.0 of the plugin supports referenceable secrets. For security reasons, store the shared secret in a vault supported by Kong. Learn more in [Secrets Management](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/) and [Environment Variables Vault](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/env/) in the Kong documentation. | 5. (Optional) Configure the rest of the optional fields in Kong Manager or the API. | Option | API Field Name | Description | | ------------------------------------- | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Config.Connection KeepAlive Ms** | `connection_keepAlive_ms` | The duration to keep the connection alive for reuse. The default is `60000`. | | **Config.Connection Timeout Ms** | `connection_timeout_ms` | The duration to wait before the connection times out. The default is `10000`. | | **Config.Enable Debug Logging** | `enable_debug_logging` | Controls if requests and responses are logged at the debug level. The default is `false`. For log messages to show in `error.log`, you must set `log_level = debug` in `kong.conf`. | | **Config.Verify Service Certificate** | `verify_service_certificate` | Controls whether the service certificate is verified. This is intended for testing purposes and the default is `true`. | 6. Click **Update**, and then click **Update Plugin**. 1) Include the following JSON object in a `POST` request to https\://\/plugins: ```json { "name": "ping-auth", "enabled": true, "config": { "service_url": "https://:/", "shared_secret": "", "secret_header_name": "" } } ``` * `service_url`: The hostname of your PingAuthorize Server instance and the port of the HTTPS Connection Handler. This URL should not contain `/sideband` in the path. For example, `https://pingauthorize:8443`. * `shared_secret`: The shared secret value you created in the PingAuthorize administrative console. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The shared secret authenticates the `ping-auth` plugin to PingAuthorize. Version 1.2.0 of the plugin supports referenceable secrets. For security reasons, store the shared secret in a vault supported by Kong. Learn more in [Secrets Management](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/) and [Environment Variables Vault](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/env/) in the Kong documentation. | * `secret_header_name`: The name of the header in which the shared secret is provided. Learn more in the [Kong Gateway Admin API](https://docs.konghq.com/gateway/2.8.x/admin-api/#add-plugin) documentation. 2) (Optional) Configure additional options. | Option | API Field Name | Description | | ------------------------------------- | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Config.Connection KeepAlive Ms** | `connection_keepAlive_ms` | The duration to keep the connection alive for reuse. The default is `60000`. | | **Config.Connection Timeout Ms** | `connection_timeout_ms` | The duration to wait before the connection times out. The default is `10000`. | | **Config.Enable Debug Logging** | `enable_debug_logging` | Controls if requests and responses are logged at the debug level. The default is `false`. For log messages to show in `error.log`, you must set `log_level = debug` in `kong.conf`. | | **Config.Verify Service Certificate** | `verify_service_certificate` | Controls whether the service certificate is verified. This is intended for testing purposes and the default is `true`. | ## Result Kong Gateway is now configured to work with PingAuthorize.